1. Monitor Service

Alibaba Cloud CloudMonitor is a service that monitors Alibaba Cloud resources and IoT (Internet of Things) applications. Alibaba Cloud CloudMonitor can be used to collect monitoring metrics for Alibaba Cloud resources or monitoring metrics customized by the user to detect service availability, and to set alerts for these metrics. It allows you to be fully aware of resource usage, service status, and service health on Alibaba Cloud, and enables you to promptly respond to error alerts and ensure smooth running of your application.

Azure Monitoring is the act of collecting and analyzing data to determine the performance, health, and availability of your business application as well as the resources that it depends on. An effective monitoring strategy helps you understand the detailed operation of your application’s components. It also helps you increase your uptime by proactively notifying you of critical issues so that you can resolve them before they become problems.

1.1 Main functions comparison

In general, Alibaba Cloud CloudMonitor supports more functions than AWS ClouWatch. The following table shows the details of the comparision.

Monitoring: Supports monitoring of all cloud products that have been connected to CloudMonitor.

Azure Monitor

Microsoft Azure provides rich monitoring metrics that allow users to monitor the running load and status of the cloud host. By default, Azure Monitor’s host enables the four following metrics: CPUs, memory, disks and networks. Users can perform configuration in the Azure console to select monitoring metrics that they want to enable.

Metric alerts can run as frequently as once every minute. Classic metric alerts always run at a frequency of once every 5 minutes.

You can alert on dimensional metrics, which means you can monitor a specific instance of the metric

Azure Monitorprovides basic infrastructure metrics and logs for most services available in Microsoft Azure.

An action group is a collection of notification preferences defined by the user. Azure Monitor and Service Health alerts are configured to use a specific action group when the alert is triggered. Various alerts may use the same action group or different action groups depending on the user’s requirements.

Azure Monitor provides two out-of-the-box roles: a Monitoring Reader and a Monitoring Contributor.

MonitoringReader:People assigned the MonitoringReader role can view all monitoring data in a subscription but cannot modify any resource or edit any settings related to monitoring resources.

MonitoringContributor:People assigned the MonitoringContributor role can view all monitoring data in a subscription and create or modify monitoring settings, but cannot modify any other resources.

1.7 Custom monitoring

Alibaba CloudMonitor

Using customized monitoring, you can quickly integrate Redis, MySql, and other monitoring metrics to Alibaba Cloud CloudMonitor.

Custom monitoring is a feature that allows you to customize monitoring metrics and alert rules. By using this feature, you can monitor service metrics that you care about, and report collected monitoring data to Alibaba Cloud CloudMonitor, so that Alibaba Cloud CloudMonitor can process the data and generate alerts according to the results.

Azure Monitor

You can use the Azure Monitor REST API, cross platform Command-Line Interface (CLI) commands, PowerShell cmdlets, or the SDK to access the data in the system or in Azure storage. Examples include: getting data for a custom monitoring application you have written; creating custom queries and sending that data to a third-party application.

In alerts, log search alerts can take custom period and frequency value in minute(s)

2 Comparison of Access Management

Alibaba Cloud Resource Access Management (RAM) is a management service designed for the centralized management of cloud identities and access permissions. You can use RAM to grant access and management permissions to Alibaba Cloud resources to your enterprise members or partners.

Multi-tenant,geographically distributed and highly available design in Azure AD

Security

Token, access key

Multi-factor authentication and security tokens

Operation audit

Supported

Supported

API/SDK/CLI

API/SDK/CLI

API/SDK/CLI

Expenses

Free

Free version + paid version

2.2 Identity Management Comparison

2.2.1 User Management

User is an Alibaba Cloud RAM identity which corresponds to an operation entity, such as an operator or application. If you have a new user or application to access your cloud resources, you must create an Alibaba Cloud RAM user and grant it the access to the relevant resources.

Azure Active Directory (Azure AD) is a cloud-based directory, and identity management service that combines core directory services, application access management, and identity protection into a single solution. Microsoft’s identity solutions span on-premise and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources regardless of location.

2.2.2 Group Management

If you have created multiple Alibaba Cloud RAM users under your Alibaba Cloud account, we recommend you use groups to better manage the users and their permissions. You can create a group for Alibaba Cloud RAM users who share the same responsibilities, and grant permissions by group.This provides the following advantages:

When a user’s responsibility changes, you only need to move this user to a group that has the corresponding responsibility, without affecting other users.

When a group’s responsibility changes, you only need to modify the group’s authorization policy that applies to all users in the group.。

One of the Azure AD user management capabilities is to use groups to execute management tasks:

A group of users created in Azure Active Directory. When a role is assigned to a group, all users in this group have this role.

A license or permission can be assigned to multiple users at the same time.

2.2.3 Role Management

Alibaba Cloud RAM and user are both identities used in RAM. In comparison with a RAM user, a RAM role is a virtual user who does not have a long-term authentication key, and cannot be used without being played by an authorized entity.

As a virtual user, a RAM role has a fixed identity and can be granted group authorization policies. However, it does not have a fixed identity authentication key (password or access key).

A RAM role differs from a RAM user in the way it is used. A RAM role must be played by an authorized entity. After playing the role successfully, the entity receives a temporary STS security token for this RAM role. Then, this entity is able to use this security token to access the resources authorized for the role.

Azure AD has a set of different management roles that are used to manage directories or identity-related functions. These administrators have access to the Azure Portal or various functions in the Azure Portal. The administrator’s role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains.Azure AD has a variety of user roles, including

Cloud Application Administrator role

Conditional Access Administrator role

Application Developer role

Intune Service Administrator role

Intune’s Role-Based Access Control (RBAC) helps you control who can perform various Intune tasks within your organization, and who those tasks apply to. You can either use the built-in roles that cover some common Intune scenarios, or you can create your own roles

2.3 Authorization Management Comparison

Alibaba Cloud RAM uses permission to describe an internal identity’s ability (such as user, user group, and role) to access a specific resource. A permission is used to allow or deny the execution of certain operations on certain resources under certain conditions.

In Azure AD, granting access to cloud apps is subject of user assignments. With Azure AD conditional access, you can control how authorized users can access your cloud apps under specific conditions. You can also configure access to be blocked by a policy.

2.3.1 Permissions

Alibaba Cloud RAM permissions include:

The primary account (resource owner) controls all permissions.

By default, RAM users (operators) have no permissions.

Resource creators (RAM users) are not automatically granted permissions for resources created by them.

Azure AD defines two kinds of permissions:

Delegated permission: Are used by apps that have a signed-in user present.

Application permissions: Are used by apps that run without a signed-in user present.

2.3.2 Authorization policies

Alibaba Cloud RAM supports the following two types of authorization policies:

System access policies: A group of commonly used permission sets created and managed by Alibaba Cloud, such as the read-only permission for ECS and the complete permission for ECS. You can use these policies, but cannot modify them.

Custom access policies: A group of permission sets created and managed by the user. They can be used to expand and supplement system authorization policies.

In Azure AD, you can use authorized access control polices to completely stop access, or you can limit to allowing access only when other access conditions are met. Azure AD has multi-factor access policy controls, primarily including the following:

Multi-factor authentication: Using multi-factor authentication helps protect resources from being accessed by an unauthorized user who might have gained access to a valid user’s primary credentials.

Compliant device: You can configure conditional access policies that are device-based. The objective of a device-based conditional access policy is to grant access to the configured resources only from managed devices.

Custom controls: These controls allow the use of certain external or custom services as conditional access controls and generally extend the capabilities of Conditional Access.

2.4 Expenses

Alibaba Cloud RAM does not charge service fees. If you meet the activation criteria and have activated this service, you can use it immediately.

Free and paid versions (only billed for required functions) are available in Azure. The free version comes in four editions: Basics, Premium P1, Premium P2 and Office 365.

3 Key management service

Alibaba Cloud Key Management Service (KMS) is a secure and easy-to-use service to create, control, and manage encryption keys used to secure your data. KMS enables you to protect the confidentiality, integrity, and availability of keys while also saving on costs.

Azure Key Vault helps safeguard and manage cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets using keys protected by Hardware Security Modules (HSMs).

3.1 Main functions comparison

Service Type

Azure Key Vault

Alibaba Cloud KMS

API/SKD

API,SDK

API,SDK

Key management

Centralized management

Fully-managed

Key protection

Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and HSMs.

KMS combines a distributed system and cryptographic hardware to achieve high reliability.

Authorized access

Azure Active Directory is used to perform authentication

Integrates RAM and supports unified authorization management

Security

Symmetric Data Encryption Keys (DEKs) are used to encrypt data

It can integrate with a variety of Alibaba Cloud services (such as ApsaraDB for RDS and OSS) and support integration with third-party services.

Service reliability

99.9%

99.9%

Scalability

Supported

Supported

3.2 API & SDK Support

Alibaba Cloud KMS allows you to generate and manage master keys using APIs as well as encrypt and decrypt small volume of data by directly using APIs. You can call KMS API interfaces by sending HTTP POST and GET requests to the KMS API server address, with corresponding request parameters included in these requests according to the interface instructions. The system will return the processing results based on the processing of the requests. Currently, Alibaba Cloud provides SDKs in four language versions: Java, Python, PHP and C#.

Managing your key vaults as well as the keys, secrets, and certificates within your key vaults can be accomplished through a REST API. You can use PowerShell to create a key vault and then store a secret in the newly created vault. Currently SDKs in NET, Java, Python and Node.js are supported by Azure Key Vault.

3.3 Key management and protection

Alibaba cloud KMS combines a distributed system and cryptographic hardware to achieve high reliability. KMS enables easy data key encryption and decryption by using Customer Master Keys (CMKs) stored in KMS and supports APIs that are based on the envelope encryption technology and open to KMS. KMS can integrate with your services and encrypt/decrypt your data keys using a master key that you specify, easily meeting the “no plain text in storage devices” requirement. KMS eliminates the risk of storing plain text directly in storage devicesCentralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and HSMs. Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access.

3.4 Access authorization

When RAM is used to implement KMS resource authorization, a user’s primary account has full operation permissions to its own resources. In the event of a sub-account, however, a user needs to grant your sub-account the corresponding resource operation permissions by using the RAM authorization.

Applications that use a Azure key vault must authenticate by using a token from Azure Active Directory. To do this, the owner of the application must first register the application in their Azure Active Directory.

3.5 Service integration

KMS allows you to integrate with a variety of Alibaba Cloud services (such as ApsaraDB for RDS and OSS) or use the RESTful API to integrate with third-party services, so that you can encrypt critical information including certificates and keys stored with these services. You can use these keys securely and conveniently, and focus on developing encryption/decryption function scenarios.

The Azure Key Vault (AKV) service is designed to improve the security and management of these keys in a secure and highly available location. For example, for SQL Server in Azure VMs, you can save time by using the AKV Integration feature. After enabling Azure Key Vault Integration, you can enable SQL Server encryption on your SQL VM.

3.6 Cost

Alibaba Cloud KMS in foreign regions has not been commercialized and therefore is now available for free. KMS in China provides three billing scenarios (charges depend on billing scenarios). 1. Common key management charges 2. Service keys management charges 3 API calling charges.

AKV offers two service tiers—standard and premium. Each service tier contains different billing items.For more information, please see Key Vault Pricing.